Impact
An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.
This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.
Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to:
For more information
If you have any questions or comments about this advisory:
Impact
An authenticated backend user with the
editor.cms_pages,editor.cms_layouts, oreditor.cms_partialspermissions who would normally not be permitted to provide PHP code to be executed by the CMS due tocms.safe_modebeing enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having
cms.safe_modeenabled. Still, it would be a problem for anyone relying oncms.safe_modeto ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to:
For more information
If you have any questions or comments about this advisory: